When an API that requires two step verification through 6-digit email codes is called for a moderated account, the 6-digit code is send to the user email just like in normal accounts. However if the user tries to verify the captcha through the following endpoint:
https://twostepverification.roblox.com/v1/users/{userId}/challenges/email/verify
They get the error “The user is moderated”
It makes no sense for Roblox to block the completion of the captcha if an account is moderated, because it sends the 6-digit code to the user email(basically it allows the start of the captcha process). I don’t see how a moderated/blocked error fits in an API serving a security feature.